Software security is no longer an emerging discipline, and here's why enterprises should care
Software security (also known as application security to some) is less than a decade old. In 1999 when I began to write "Building Secure Software" with John Viega, there were no books and only a few articles for software developers and architects interested in building in security. Lots of tomes and titles now fill the software security bookshelf.
Not surprisingly, software security is now considered a real subsector of computer security and is even tracked by analysts. The Yankee Group estimates that the entire market is worth between $250-275 million, numbers that jive with my own breakdown of the space.
As software security grows from a nice-to-have into a necessity, many companies are trying to determine how to get started. A quick look over the space can provide some answers.
Last year, the combined software security tools market earned between $90-$100 million. Most of this revenue was earned by black box testing tools, especially those tools created specifically for testing Web software. Black box testing tool vendors earned between $58-$70 million. The leader in the Web application security testing space is Watchfire, which earned close to $30 million last year. The other strong competitor, SPI Dynamics, earned just over $18 million. Lesser companies in the space including Cenzic, Codenomicon, and the like, earned another $10 million or so between them.
My view of black box testing tools, which I call "badness-ometers," is well known. In brief, badness-ometers are great for helping identify and highlight the software security problem -- just don't treat them as security meters. As such, I'm pleased that the market for these tools is robust, having doubled last year and continuing with similar growth into 2007. The best aspect of these tools is that they help companies and developers understand that their software is broken -- an essential activity in a new market like software security. Once this realization hits home, these companies are well positioned to take advantage of code analysis tools and other software security professional services.
If your company has yet to come to grips with software security, a black box testing tool may be just what the doctor ordered. On good days, these tools can find very serious problems with very little up front investment, and in many organizations, identifying the problem is often half the battle.
As badness-ometers continue to spread, they drive demand for solutions that do more than identify the problem. Source-code analysis tools speak to this demand. Last year, code scanners earned around $20 million (more than doubling the 2005 revenue). This market is dominated by Fortify, which earned 10 times more than its closest remaining competitor, Ounce Labs. (Fortify acquired some of the assets of Secure Software early this year.) Klokworks and Coverity, which sell closely related tools, tend to focus more on software quality than software security, so I don't count their revenue in this analysis.
Code scanning tools are often very reasonable places to start for development groups that want to tackle the software security problem, especially in shops that are code intensive.
Tools like software security testing tools and source code analysis tools don't run themselves, nor do they provide a silver bullet for the software security problem. All told, the software security services market is worth anywhere from $80-$120 million. SPI-Dynamics and Watchfire's offerings are simple and powerful enough to be wielded by workaday testers and developers, but more complex tools work much more effectively when they are properly integrated into an organization.
Large consultancies such as IBM Global Services, Cybertrust, Symantec, and Ernst & Young focus their software security activities on application penetration testing services. Ultimately, these are badness-ometer services. In many cases, they rely on running and reporting the results of a Web application security testing tool.
Boutique consulting shops such as Foundstone and Cigital focus more attention on getting inside the code. These consultancies wield source code scanners, provide training, and also perform architectural risk analysis.
In 2006, services surrounding more complete software security initiatives at the enterprise level came into vogue. These large scale initiatives include training for thousands of developers, the creation of enterprise-specific knowledge and guidance, and the integration of software security best practices (which I call the touchpoints) into the software development lifecycle.
Software security is quickly becoming a business necessity. As I described in last month's column, SOX and PCI compliance activities serve to help corporations better understand their software risk. (See Compliance As Kick-Starter
.) Because the impact of software failure (maliciously caused or otherwise) is great, many corporations are already working diligently on software security.
There are many ways to get started. Those corporations serious about tackling the problem -- that is, those corporations with staggering amounts of software security risk -- take on a multi-year enterprise software security initiatives. Microsoft has made plenty of noise and progress with its Trustworthy Computing initiative. Other ISVs, including Oracle and Cisco, are rushing to catch up even as their customers begin to ask hard questions about product security. The financial vertical leads the pack among non-ISV corporations with large scale initiatives underway. The first step in any large initiative is creating a plan based on best practices. Such plans almost always include a heavy training component.
A large initiative may be too much to bite off at once, especially if your company has yet to come to grips with the business reality of the problem. In these cases, getting started with a simple badness-ometer tool is often helpful. These tools can produce eye-opening results of the "oh darn" variety, which in turn provide excellent ammunition to counter challengers who claim "our software is just fine."
Another alternative is hiring a security team to analyze a critical application. The deeper the analysis, the better the results will be; but even a quick and dirty penetration test can serve to get the ball rolling.
Training also makes a great starting point, especially if it is focused on developers and architects. The trick to successful software security training is to make sure that whoever develops and delivers it is a bona fide software person. Years of security of experience will not help without deep knowledge of C, C++, Java, and software architecture. Developers only listen to their own kind.
No matter what the route, there is no longer any excuse to put off software security. Customers are becoming aware of the problem, regulations demand real solutions, and the reactive network security hacks of the past consistently fail.
Computer security spent many years in a reactive stance, with vendors inventing and peddling band-aid solutions like firewalls, antivirus tools, and intrusion detection engines. Only recently has the stark reality of security begun to sink in. We have no alternative but to build security into the software that we depend on to run the modern world.
Gary McGraw is CTO of Cigital Inc. Special to Dark Reading
Cisco Systems Inc. (Nasdaq: CSCO)
Ernst & Young International
Fortify Software Inc.
IBM Global Services
Microsoft Corp. (Nasdaq: MSFT)
Oracle Corp. (Nasdaq: ORCL)
Secure Software Inc.
Symantec Corp. (Nasdaq: SYMC)